Add a programs.podman module #54925
Add a programs.podman module #54925
Conversation
`podman` requires some configuration files, and system package available. This allows to do that by just using `programs.podman.enable = true` in a nixos configuration. Signed-off-by: Vincent Demeester <vincent@sbr.pm>
|
@vdemeester is it supposed to be used with a non root user? while it downloads the It would also be nice to add a really simple test that could be used to easily check this module is working. Something similar to https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/yabar.nix. |
|
Works as expected with a root account. |
| environment.etc."containers/policy.json".text = '' | ||
| { | ||
| "default": [ | ||
| { "type": "insecureAcceptAnything" } |
There was a problem hiding this comment.
I don't think we use this insecure kind of value by default. Could you remove it?
There was a problem hiding this comment.
Also, what about using builtins.toJSON to make the file typo-free, as syntax would at least be checked at compile time.
|
|
||
| environment.etc."containers/registries.conf".text = '' | ||
| [registries.search] | ||
| registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org'] |
There was a problem hiding this comment.
I don't think users need all of these registries by default. Maybe docker.io would be sufficient.
There was a problem hiding this comment.
Just to add, this should be a config option.
|
Once this is ready, it would be great to use podman as a backend for the |
There was a problem hiding this comment.
Running as root works without issue.
Rootless mode seems to have additional issues with version 1.2.0 then the ones already described.
I get the following two errors when trying to pull an image:
cannot find mappings for user pascal: No subuid ranges found for user "pascal" in /etc/subuid
and
using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding subids
But I think we can look into rootles mode in a separate PR.
|
Um, so this is a pretty much fully hard-coded configuration? Relevant for NixOS/rfcs#42 |
|
@infinisil yeah 😓 I need to update this to add more options and the possibility to bring you own configuration 👼 |
| } | ||
| ''; | ||
|
|
||
| environment.systemPackages = with pkgs; [ cfg.package cfg.conmonPackage cfg.runcPackage ]; |
There was a problem hiding this comment.
I also added slirp4netns here, other wise I get the following error when running prodman run in rootless mode:
ERRO[0000] could not find slirp4netns, the network namespace won't be configured: exec: "slirp4netns": executable file not found in $PATH
There was a problem hiding this comment.
CNI would be needed here too, or how does it work in conjunction with the configured CNI package?
There was a problem hiding this comment.
To be honest I'm currently only running a container with host network. So I probably haven't really used most the CNI stuff.
|
I think I got rootless to work on my system. The two things I needed to do was:
|
| } | ||
| ''; | ||
|
|
||
| environment.systemPackages = with pkgs; [ cfg.package cfg.conmonPackage cfg.runcPackage ]; |
There was a problem hiding this comment.
CNI would be needed here too, or how does it work in conjunction with the configured CNI package?
|
|
||
| environment.etc."containers/libpod.conf".text = '' | ||
| image_default_transport = "docker://" | ||
| runtime_path = ["${cfg.runcPackage}/bin/runc"] |
There was a problem hiding this comment.
This can be now inferred from $PATH
| environment.etc."containers/libpod.conf".text = '' | ||
| image_default_transport = "docker://" | ||
| runtime_path = ["${cfg.runcPackage}/bin/runc"] | ||
| conmon_path = ["${cfg.conmonPackage}/bin/conmon"] |
|
These configs let me run podman currently, so even without serious changes to the PR, I think this is useful already. |
| Whether to configure podman | ||
| ''; | ||
| type = types.bool; | ||
| }; |
There was a problem hiding this comment.
Can mkEnableOption be used?
-enable = mkOption {
- default = false;
- description = ''
- Whether to configure podman
- '';
- type = types.bool;
-};
+enable = mkEnableOption "podman";
| description = "podman package to be used"; | ||
| type = types.package; | ||
| }; | ||
| runcPackage = mkOption { |
There was a problem hiding this comment.
Imho it's better to wrap the podman binary in the derivation to add these dependencies, podman is also useful on non-nixos.
| description = "runc package to be used"; | ||
| type = types.package; | ||
| }; | ||
| conmonPackage = mkOption { |
There was a problem hiding this comment.
Same, in fact same for all packages. It's better to wrap them.
|
|
||
| environment.etc."containers/registries.conf".text = '' | ||
| [registries.search] | ||
| registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org'] |
There was a problem hiding this comment.
Just to add, this should be a config option.
|
Closing in favor of #85604 👼 |
Motivation for this change
podmanrequires some configuration files, and system package available. This allows to do that by just usingprograms.podman.enable = truein a nixos configuration.(it's a port of my own module)
/cc @nlewo @Mic92
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)